security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
cc8a89b6792ba7671d45c255e3042fba5df7cadf
blue-team-tools/rules/windows/builtin/win_susp_iss_module_install.yml
T
Florian Roth b0cb0abc01 Bugfix: wrong field for 4688 process creation events
2018-12-11 16:10:15 +01:00

37 lines
1.1 KiB
YAML
Raw Blame History

---
action: global
title: IIS Native-Code Module Command Line Installation
description: Detects suspicious IIS native-code module installations via command line
status: experimental
references:
- https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/
author: Florian Roth
modified: 2012/12/11
tags:
- attack.persistence
- attack.t1100
detection:
condition: selection
falsepositives:
- Unknown as it may vary from organisation to arganisation how admins use to install IIS modules
level: medium
---
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 1
CommandLine:
- '*\APPCMD.EXE install module /name:*'
---
logsource:
product: windows
service: security
definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
selection:
EventID: 4688
ProcessCommandLine:
- '*\APPCMD.EXE install module /name:*'
Reference in New Issue View Git Blame Copy Permalink